1

IEEE PES GM 2018

Tuesday (8/7)
Cyber-Physical Systems Security for the Power
Grid: Methodologies, Metrics and Tools
• Chairs: A. Hahn, Washington State University
M. Govindarasu, Iowa State University

Panelists:
C. Liu, Virginia Tech
P. Sauer, University of Illinois
G. Johnson, Ames Laboratory, DOE
IEEE PES General Meeting, Portland, OR, Aug. 2018

Risk Assessment Methodology and Case Study

Chen-Ching Liu
American Electric Power Professor
Director, Power and Energy Center
Virginia Tech
Research Professor
Washington State University

Sponsored by U.S. National Science Foundation, Department of Energy,

Science Foundation Ireland, Energy Systems Innovation Center (WSU).
 Cyber Systems in Power Infrastructure

Other Corporate
Intranets

Transmission line
Transmission line

User
Interfaces Dispatcher
Primary Control
Center Network
... Breaker ... Breaker
Training
` ` Simulators Busbar
Corporate WAN
Vendor
Personnel or
... Breaker ... Breaker
Firewall Site Engineers

Remote Access Network Transformer Transformer

Modem Application SCADA Database through Dial-up, VPN,

Firewall Servers Servers Servers
or Wireless
... Breaker ...
Busbar ... Breaker
Breaker
Busbar

Firewall
Secondary Breaker Breaker Breaker Breaker Breaker Breaker
Modem
Dispatcher Control Center
Training Network Frame Relay Network / Hackers
... ... ... ... ... ...
` Simulators
Radiowave / Dedicated Line
Feeder Feeder Feeder Feeder Feeder Feeder

User
Interfaces
Modem
` Application SCADA Database Data
Servers Servers Servers ` Concentrator Firewall
User
Interfaces

Router

Modem

Substation Network
 Modeling Integrated Cyber-Power System

• Methodology for CPS modeling of power systems

– Develop the ICT model of SCADA system
– Integrate power grid model with ICT model for SCADA and grid control hierarchy
– Dynamics of a power grid and its data infrastructure are combined

• CPS tool used for assessment of SCADA communication performance

– Plan SCADA and ICT systems for power grids

• CPS tool used for cyber security assessment in co-simulation environment

– Model cyber attacks and assess CPS security
• Simulate cyber attacks at the cyber system layer
• Perform impact analysis at the power system layer
• Compute impact indices and attack efficiencies to disrupt power grid operation
 Cyber-Physical System Model
System Application HMIs Cyber Security Synchronization
Applications Market System
Servers Servers System Historians HMIs
Servers
Router
Transmission Operator Layer
Dual LAN
Market
Router Dual LAN Web Servers
RTU CC CC
Servers Routers Servers Communication
Hot-Standby
Firewalls Servers
Servers Firewall

Control Center Hot-Standby ICT model

Control Center k ICT model System Application Synchronization

Servers Servers HMIs System
System Application Synchronization Dual LAN
Control Center Level at Servers Servers HMIs System
Cyber System Layer Dual LAN

Routers
Routers RTU Firewalls CC TO
Firewalls CC TO Servers Servers Servers
RTU Servers Servers
Servers

Substation 1 ICT model Substation m ICT model Substation m+1 ICT model Substation n ICT model
Engineering Station Engineering Station Engineering Station Engineering Station
Substation Level at Workstation HMIs WEB HMI Workstation HMIs WEB HMI Workstation HMIs WEB HMI Workstation HMIs WEB HMI
Cyber System Layer Router Router Router Router
Firewall Firewall Firewall Firewall

LAN RTU LAN RTU LAN RTU LAN RTU

Server Server Server Server Server Server Server Server

IED 1 IED i IED 1 IED i IED 1 IED i IED 1 IED i

8 7 6 U16  kV 

9 5
G5
Power System Layer 10 16 U16
G4
11 4
12
13 t
14 15

tm t sec
1 2 3
G2 G3 t0 t1 t2 tk −1 tk
G1
Cyber- Transmission
Operator’s Console
SIEMENS Spectrum Power
TG, SICAM PAS
SCADA Mimics

Physical OPC
Real-time Database
State, Control
Client Variables
System Matrikon OPC Real-Time Grid
Simulation Server
Tool OPC State, Control
Supervision &
Control, EMS Tools
Cyber System Client Variables
and Transmission MATLAB Simulink,
Operator Layers SimEvents, OPC
Toolboxes

SCADA
Performances
OPC State, Control
Client Variables

Matrikon OPC
Cyber Simulation Server Communication
Attacks OPC State, Control
Security
DIgSILENT
Power System Client Variables
PowerFactory
Layer
& Power Grid Static and Dynamic Models

Impact
Analysis
 6

Cyber Attack Model

• Cyber attacks can be modeled using the CPS tool
– Denial-of-service (DoS) by flooding the queues
– Man-in-the-middle by capturing and modifying packets carrying measurements / control
commands
– Unauthorized access to control assets such as RTUs and IEDs

• Attack path on graph is identified as the series of all attacks steps taken to
compromise main target, e.g., RTU, and operate power devices
– All ICTs are vulnerable to cyber attacks
– An attack step takes t hours to compromise an ICT device
– Penetration tests are used to assess vulnerabilities and penetration times
 7

Vulnerability Metrics: Dynamics

RTU
• Attack path on graph tattack 3

Comm. Comm.
Server 1 Server 2
tattack 2

Workstation Router/
HMI 1 HMI 2 Web HMI
Remote Access Firewall
tattack 1
nMC
Start path
tattack =  tattack
delay
,i
i =1

• Attack efficiency to disrupt system operation is the success rate for cyber attack
path multiplied by the impact index on the power grid

 j =  attack
path
, j  j
 8

Impact on Power System - Dynamics

➢ Cyber-Physical Security Assessment

➢ Impact of the cyber attack is assessed by monitoring the dynamic behavior:

• frequency  j =  f , j +  PL , j + U , j + L, j
• bus voltage magnitudes
f nLoads
PL,i nbus
U i nbranch
Ii
• current levels on network elements =  +  P  +  U +  I 
f rated i =1 U rated
f
i =1 Pinitial ,i i =1 I rated ,i
• loss of loads
➢ It shows how much the operation has moved from the secure condition:
• secure
• insecure
• critical
➢ The most critical attack path is identified based on the attack’s efficiency
 9

Simulation Results

• Cyber attack scenario

– Cyber attack type is unauthorized access and control
– Main target is substation RTU
– Attack path is from outside the substation communication network to RTU
– Attackers exploit vulnerabilities of security controls protecting the ICTs
– Cyber attack scenario is to compromise the ICTs
• Substation workstation for remote access
• Communication server
• RTU
– Unauthorized controls are sent to IEDs, e.g., trigger open circuit breakers and modify
voltage and active power set points or tap positions
 10

Simulation Results

• Cyber attack at substation 3

– Most critical ICT path is identified
– Workstation for remote access was most difficult to compromise
– The overall success rate for the cyber attack is 0.194 %
– Load 25 and transmission line 25-26 were disconnected
– Tap position for the main transformer was modified
– System dynamics are affected and a high impact index is computed 367.67
– The attack efficiency to disrupt the secure operation is 71.45 %
– Cyber security must be enhanced at substation 3
 11

Simulation Results
• Cyber attack at substation 3

60.10

60.08

60.06

60.04

60.02

60.00

59.98
0 5 10 15 20 25 30 35 40 45 50
G2: Electrical Frequency in Hz [s]
 12

Simulation Results
• Attack efficiencies to disrupt power system secure operation
 Intrusion into a Substation Network

Other Corporate
Intranets

Transmission line
Transmission line

User
Interfaces Dispatcher
Primary Control
Center Network
... Breaker ... Breaker
Training
` ` Simulators Busbar
Corporate WAN
Vendor
Personnel or
... Breaker ... Breaker
Firewall Site Engineers

Remote Access Network Transformer Transformer

Modem Application SCADA Database through Dial-up, VPN,

Firewall Servers Servers Servers
or Wireless
... Breaker ...
Busbar ... Breaker
Breaker
Busbar

Firewall
Secondary Breaker Breaker Breaker Breaker Breaker Breaker
Modem
Dispatcher Control Center
Training Network Frame Relay Network / Hackers
... ... ... ... ... ...
` Simulators
Radiowave / Dedicated Line
Feeder Feeder Feeder Feeder Feeder Feeder

User
Interfaces
Modem
` Application SCADA Database Data
Servers Servers Servers ` Concentrator Firewall
User
Interfaces

Router

Modem

Substation Network
 Potential Threats in a Substation
Based on IEC 61850
Compromise
user-interface User-
GPS
Station interface
Level
Gain access
to bay level Change
devices device
settings
Bay
Level
IED Relay PMU

Process Generate
Modify
Level GOOSE Actuator Merging fabricate
message Unit d analog
Circuit values
Breaker
CT and VT
Integrated Anomaly Detection System
Consequence of GOOSE Based Attack
 Host-Based Anomaly Detection
▪ Detection of temporal anomalies is performed by comparing consecutive row
vectors representing a sequence of time instants

▪ If a discrepancy exists between two different periods (rows, 10 seconds), the

anomaly index is a number between 0 and 1

▪ A value of 0 implies no discrepancy whereas 1 indicates the maximal discrepancy

Host-based anomaly indicators
▪ ψ^a (intrusion attempt on user interface or IED)
▪ ψ^cf (change of the file system)
▪ ψ^cs (change of IED critical settings)
▪ ψ^o (change of status of breakers or transformer taps)
▪ ψ^m (measurement difference)
 Host-Based Anomaly Detection

- At 10:20:000, there is no anomaly so t_1 is [0 0 0 0 0].

- At 10:30:000, ADS detects a wrong password attempt to IED 1 so t_2 is [1 0 0 0 0].
- At 10:40:000, ADS detects an unauthorized file change to the user-interface so t_3 is [1 1 0 0 0].
- At 10:50:000, there is no change so t_4 is [1 1 0 0 0].
- At 11:00:000, there is no change so t_5 is [1 1 0 0 0].
- At 11:10:000, ADS detects two anomalies, unauthorized setting change to IED 2 and
unauthorized tap change to transformer 1 so t_6 is [1 1 1 1 0].
- At 11:20:000, there is no change so t_7 is [1 1 1 1 0].
System Integration
 HMI

Anomaly Detection
System
 Coordinated Cyber Attack

City 3
City 1
1

Cascading 2

Events

3 City 4

City 2
21
 Coordinated Cyber Attack Detection System (CCADS)

Similarity index

User defined threshold value

Compromised substations
22
Simulation Results: Frequency and Voltage Profiles

23
Intrusion Detection System

24
 Further Information
[1] C. W. Ten, C. C. Liu, and M. Govindarasu, “Vulnerability Assessment of Cybersecurity for SCADA Systems,”
IEEE Trans. Power Systems, Nov. 2008, pp. 1836-1846. [4] C. W. Ten, J. Hong, and C. C. Liu, “Anomaly
Detection for Cybersecurity of the Substations,” IEEE Trans. Smart Grid, Dec 2011, pp. 865-873.
[2] C. C. Liu, A. Stefanov, J. Hong, and P. Panciatici, “Intruders in the Grid,” IEEE Power and Energy Magazine,
Jan/Feb 2012, pp. 58-66.
[3] J. Hong, C. C. Liu, and M. Govindarasu, "Integrated Anomaly Detection for Cyber Security of the
Substations," IEEE Trans. Smart Grid, July 2014, pp. 1643-1653.
[4] A. Stefanov, C. C. Liu, and M. Govindarasu, "Modeling and Vulnerability Assessment of Integrated Cyber-
Power Systems," Int. Transactions on Electrical Energy Systems, Vol. 25, No. 3, March 2015, pp. 498-519.
[5]C. C. Sun, A. Hahn, and C. C. Liu, “Cyber Security of a Power Grid: State-of-the-Art,” Int. J. Electrical and
Power and Energy Systems, pp. 45-56, 2018.
[6] J. Xie, A. Stefanov, and C. C. Liu, "Physical and Cyber Security in a Smart Grid Environment," Wiley
Interdisciplinary Reviews Energy and Environment, WIREs Energy Environ 2016. DOI: 10.1002/wene.202
[7] C. C. Sun, C. C. Liu, and Jing Xie, "Cyber-Physical System Security of a Power Grid: State-of-the-Art,"
Electronics, 2016, DOI: 10.3390/electronics5030040.
[8]C. C. Sun, J. Hong, and C. C. Liu, "A Coordinated Cyber Attack Detection System (CCADS) for Multiple
Substations," 2016 Power System Computation Conference (PSCC), Genoa, Italy, June 2016.
[9] Y. Chen, J. Hong, and C. C. Liu, "Modeling of Intrusion and Defense for Assessment of Cyber Security at
Power Substations," IEEE Trans. Smart Grid, DOI 10.1109/TSG.2016.2614603.
[10] J. Hong and C. C. Liu, "Intelligent Electronic Devices with Collaborative Intrusion Detection Systems,"
Accepted for publication in IEEE Trans. Smart Grid.
[11] C. C. Liu, A. Stefanov, J. Hong, "Cyber Vulnerability and Mitigation Studies Using a SCADA Testbed,“ IEEE
Power and Energy Magazine, Jan. 2012.
[12] S. K. Khaitan, J. D. McCalley, and C. C. Liu (Co-Editors), Cyber Physical Systems Approach to Smart
Electric Power Grid, Springer, 2015.
 1

Industry collaboration and

outreach programs for
cybersecurity of the power grid
Peter W. Sauer
University of Illinois at Urbana-Champaign
IEEE/PES/2018 GM Portland, OR
Tuesday, August 7, 2018 (1-5pm)
 2

IEEE Smart Grid Resource Center (Webinar slides):

http://resourcecenter.smartgrid.ieee.org/

Ethical Hacking in the Electric Grid

Posted: 7 Dec 2017

Author:
Tim Yardley

Primary Committee:
IEEE Smart Grid Webinar Series
 3

IEEE Smart Grid Resource Center (Webinar slides):

http://resourcecenter.smartgrid.ieee.org/

Cybersecurity for the Smart Grid: Challenges and

R&D Directions

Posted: 21 Dec 2017

Author:
Manimaran Govindarasu

Primary Committee:
IEEE Smart Grid Webinar Series
 4

IEEE Smart Grid Resource Center (Webinar slides):

http://resourcecenter.smartgrid.ieee.org/

Cyber-Physical Security Analysis for Transactive

Energy Systems

Posted: 22 Mar 2018

Author:
Anurag Srivastava

Primary Committee:
IEEE Smart Grid Webinar Series
 5

Power Systems Engineering Research Center (PSERC) project S-72 –

Attack-Resilient and Secure EMS: Design, Algorithms, Operational
Protocols, and Evaluation
Reduced Project summary: This project aims to consider the following fundamental question: can
reasonably realistic (i.e., attackers with limited capabilities) cyber-attacks be modeled and tested on electric
power system (EPS) simulation platforms to evaluate attack severity and consequences and evaluate
resiliency of energy management systems (EMSs) to such attacks?
The goal of the proposed research is three-fold:
(i) identify credible threats and develop attack-resilient control algorithms (countermeasures) that can be
modularly integrated into energy management systems (EMSs);
(ii) develop a realistic software-hardware simulation testbed comprised of EMS software platform (ASU)
and a hardware SCADA system in conjunction with a power system simulator (ISU); and
(iii) use the integrated software-hardware testbed to evaluate credible threats and countermeasures.

Academic Team Members: Lalitha Sankar (ASU), Manimaran Govindarasu (ISU), and Oliver Kosut (ASU)

Industry Team Members: Reynaldo Nuqui (ABB), Jay Giri (Consultant), Sharon Xia (ALSTOM), Evangelos
Farantatos (EPRI), Mahendra Patel (EPRI), Euguene Litvinov (ISONew England), Mark Westendorf (MISO),
Benjamin Kropowski (NREL), Maurice Martin (NREL), Erfan Ibrahim (NREL), George Stefopoulos (NYPA,
Harvey Scribner (SPP), and Brandon Aquirre (Tri-State)
 6

Power Systems Engineering Research Center (PSERC)

project S-82G – Cyber-Physical Modeling, Visualizaton and
Metric for Microgrid Resiliency
Reduced Project summary: This project aims to develop cyber-physical microgrid models
and simulations focused on evaluating resiliency and enabling a 3D visualization framework
through following tasks:
i) Cyber-Physical Microgrid Modeling for IEEE test system and Miramar Microgrid,
ii) Cyber-Physical Resilience Metric and Visualization inspired by the Ukraine Attack, and
iii) Cyber-Physical Defense Mechanisms and Enhanced Resilience.
Increased awareness of the microgrid operational status considering cyber-physical layers will
enable the operator to take cyber-physical control actions and enable resiliency.

Academic Team Members: Anurag Srivastava (WSU) and Adam Hahn (WSU)

Industry Team Members: Brian Miller (NREL), Glen Chason (EPRI), Dan Ton (DOE),
Evangelos Farantatos (EPRI), Tony Thomas (NRECA)
 7

TCIP and TCIPG

https://tcipg.org/
Provides links to the content of industry workshops
from 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013,
2014

Includes research activity fact sheets and posters from

industry workshops from 2011, 2012, 2013, 2014

Provides links to Summer Schools on Cyber Security in

2008, 2011, 2013, 2015
Cyber Resilient Energy Delivery Consortium
(CREDC)
Department of Energy – OE
Department of Homeland Security – S&T

University of Illinois at Urbana-Champaign

Argonne National Laboratory
Arizona State University
Dartmouth College
Massachusetts Institute of Technology
Old Dominion University
Oregon State University
Pacific Northwest National Laboratory
Rutgers University
Tennessee State University
University of Houston
Washington State University
 Cyber Resilient Energy Delivery Consortium
(CREDC)

https://cred-c.org/
Provides links to the content of industry workshops
from 2016, 2017, information on 2018

Provides links to current research activity summaries

with industry collaboration.

Provides information on the 2017 and 2019 Summer

Schools (currently scheduled for June 24-28, 2019 - to
be confirmed) at the Q Center, St. Charles, IL
 10

Education - Interactive activities

• Applets on:
– Power and Energy in the home
– Electricity and time of use pricing
– The power grid
– Power economics and emissions
– Wind and storage
– Tesla town
• Minecraft
 11

Education - Interactive activities

• PowerWorld and Guardians of the Grid
• Ciphers and Encryption
https://www.khanacademy.org/computing/com
puter‐science/cryptography
• CrpytoClub
http://cryptoclub.org/
• Cyber Security Lab – a game
http://www.pbs.org/wgbh/nova/labs/lab/cyber/
 1

Paper No: 18PESGM2625

Tools to Enable Automated

Cyber Threat Information Sharing
Grant Johnson
Ames Laboratory
PES General Meeting 2018
 2

Topics
• Why Information Sharing?
• Cyber Fed Model (CFM) Background
• Sharing Considerations
• Existing Options
• Last Quarter-Mile Toolset (LQMT)
• Flexible Transform
 3

Why Information Sharing?

• Allow one organization’s detection to become another’s
prevention
– NIST SP 800-150 – Guide to Cyber Threat Information Sharing

• Local Uses:
– Operational Deterrence – update security controls and monitoring
– Strategic Design – use as inputs for mitigations and design of security
architecture

• Community Benefits:
– Reduce long term risk for the sharing community
– Increase effort and costs of an attack
– Impede attack progress within a community in near real-time
 4

Cyber Fed Model (CFM)

• Argonne National Lab Program;
Operational since 2009, concept
development began in 2004
– Geographically separated high
availability
– Payload agnostic data model
– Supports broadcast and directed
sharing models

• Independent Communities with

Multi-Layer encryption

• Use Cases
– Defense: rapid M2M exchange of bad
actor indicators
– Sit. Awareness: site/enterprise https://cfm.gss.anl.gov/
details on bad actor interactions
 5

CFM Architecture
 6

Sharing Community Considerations

• Trust between participants
– Who shares your threats &
vulnerabilities?
– Who interacts with your
infrastructure?

• Common operational
environments leads to common
threats

• Enable by sharing agreements

– Limit Liability and safeguard
privacy

• Directed sharing vs. Broadcast

 7

Community Options
• Open Source Feeds

• Commercial Feeds

• ISACs / ISAOs / CERTs

• Aggregated feeds into Threat Intelligence Platforms

• Community Centered Programs

– DHS Automated Indicator Sharing (AIS) enabling Federal Government and
private industry sharing
 8

Considerations for Shared Data

• Usefulness of the Data
– Relevant – Unique to you
– Actionable – Human vs.
Automated
– Timely – Context vs. Speed

• Consistency of the Data

– Formats and vocabulary vary
– Information for human analysts
versus machine automation

• Privacy – sharing rules and de-

identification to enable
participation
 9

Data Sharing Standards

• Technology used for Department
of Homeland Security (DHS)
Automated Indicator Sharing
(AIS) program

• Open source software standards

maintained by OASIS on GitHub

• Machine Speed Sharing:

– Indicators / Observables
– Course of Action
– Tools, Tactics, Procedures
– Incidents
– Campaigns / Threat Actors
US-CERT: https://www.us-cert.gov
 10

Usage Readiness
• Cyber threat information is just one piece of the puzzle

• Start with simple cases to understand data valuable for automation

• Considerations for readiness:

– Current understanding of environment and assets
– Team size, capabilities, and capacity
– Current level of automation
– Current human use cases (such as threat hunting)
– Automation tradeoffs of noisy data, handling false positives, resource
constraints
– Easy to subscribe and listen, can you contribute
 11

Automating use of threat information

LAST QUARTER-MILE TOOLSET

 12

LQMT
• Problem: Loading the dynamic threat information into analysis and
protection tools is cumbersome and problematic
– Organizations have their own tools (firewall, SIEM, etc.)
– Tools have different interfaces, protocols, and formats
– Threat information is expressed in differing formats

• Goal: Translate the input formats into a common representation and send
to output modules for updating end points.

https://github.com/anl-cyberscience/LQMToolset
 13

LQMT Data Flow

• Configure LQMT to automate
CTI Ingest defensive actions and collect
situational awareness
– Tool Chains to route CTI to end points
– Filter desired CTI sources and types
LQMT – Add whitelist to avoid false positives
Processing
• Example Tool Support
– Splunk
– Checkpoint
– Palo Alto
Firewall SIEM IDS – Arcsight Logger
– Syslog
– Bro
– Snort
 14

Example Use Case

• Similar to the continuous cycle of
the Integrated Adaptive Cyber
Defense (IACD) functional areas
– Sensing – Identify a shared Snort
Rule, add to IDS monitoring, and
collect matching logs.
– Acting – Insert a shared IP
indicator as a Firewall Block
 15

Dynamic Format Translations

FLEXIBLE TRANSFORM
 16

Flexible Transform
• Problem: Using data is difficult when every contributor does not speak a
common language
– Exponentially increasing development effort to support new formats
– Loss of meaning and context between the formats

• Goal: Translate between CTI sharing formats while preserving the

semantics as far as possible.

https://github.com/anl-cyberscience/FlexTransform
 17

Flexible Transform Background

• Python tool to enable dynamic
translations between formats
– Ingest & Parse data to semantic roots
– Map to output elements in target format

• Components of a format
– Syntax – CSV, XML, JSON
– Schema – Valid terms, the data
represented, and restrictions on use
– Semantics – Meanings of the terms

• Library or command-line usage

 18

Flexible Transform Architecture

 19

Thank You!

Contact
Grant Johnson
grantj@ameslab.gov
www.ameslab.gov

CFM Contact
Argonne National Lab
fedhelp@anl.gov
https://cfm.gss.anl.gov